ISMS Security Incident Management Process

1. Purpose, Scope and User

The purpose of this document is to define a process that ensures the fast detection of security events and vulnerabilities rapidly, and the rapid reaction and response to security incidents.

This document applies to the entire scope of the Information Security Management System (ISMS), namely to all employees and other assets used within the ISMS scope, and to suppliers or other persons outside the organization who come into contact with systems and information within the ISMS scope.

Users of this document are all employees of VSHN AG and all persons mentioned above.

2. Reference Documents

3. Incident Management

An information security incident is "a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business processes and threatening information security" (ISO/IEC 27000:2016, translated from German).

3.1. Trigger of a Security Incident

The following events can trigger a security incident and should be handled according to this document.

  • Loss or theft of equipment

  • Loss or theft of information

  • Data loss on VSHN systems

  • Unauthorized access to customer data and other sensitive data (for example customer names passed on to other customers, access by customers to data of other customers, etc.)

  • Protected data (for example passwords, confidential documents, etc.) that were viewed or sent via insecure channels

  • Violation of the Acceptable Use Policy (AUP)

  • Openly accessible papers requiring protection (confidentiality level "Authorized"/"Berechtigt" or higher)

  • Indications that passwords, sensitive data or the system may have been compromised

  • Targeted attempts by third parties to gain unauthorized access to VSHN systems

  • Large-scale and noticeable attacks on VSHN systems (DDoS, viruses, etc.)

  • Long unresolved security vulnerabilities in software, packages, etc. used by VSHN (for example no updates on important servers)

  • Phishing mails whose links have been clicked on by employees or subsequently user entries have been made.

  • Targeted Phishing mail attack with APT tactics. In other words, if a targeted phishing e-mail is sent to a person in VSHN using publicly accessible data from VSHN or internal information obtained through social engineering in order to damage VSHN

  • Attempted or successful social engineering

  • Longer backup failures of VSHN systems

  • Longer failures of system-relevant VSHN systems

  • Physical access of unauthorized persons to the offices of VSHN

  • Possible violations of regulations or laws by VSHN or its employees

  • Other triggers where there is a suspicion that confidentiality, integrity or availability is at risk. The principle is to report one incident too many rather than too few.

3.2. Reception and Classification of Incidents, Vulnerabilities and Events

Each employee or third party who is in contact with information or systems of VSHN AG must report any system vulnerabilities, incidents or events that could lead to a possible security incident as follows:

  1. All incidents must be reported to the CISO or the Information Security Management Interest Group in order to determine possible immediate measures.

  2. The observer creates a security incident ticket according to How to Create Security Incident Tickets and assigns it to the CISO or the Information Security Management Interest Group

The assignee of the ticket about the information must classify it as follows:

  1. Security vulnerability or event - no incident has occurred, but the event related to a system, process or organization could result in an incident in the near or distant future.

  2. Minor Incident - an incident that doesn’t have a significant impact on the confidentiality or integrity of information and can’t cause a longer-term loss of availability.

  3. Major Incident - an incident that could cause significant damage through the loss of confidentiality or integrity of information, or that could cause an interruption in the availability of information or processes for an unacceptable period of time.

  4. Incident endangering the business continuity - a serious incident that could endanger the existence of VSHN.

3.3. Treatment Procedures for Security Vulnerabilities or Events

The receiver of information about the security vulnerability or event analyzes the information, determines the cause and, if necessary, proposes preventive and corrective measures.

The receiver of the information about the incident must record the incident in the ticket system.

3.4. Treatment of Minor and Major Incidents

If a minor incident is reported, the receiver of the information must take the following steps:

  1. Take measures to isolate the incident.

  2. Analysis of the causes of the incident.

  3. Take corrective action to eliminate the cause of the incident.

  4. Informing those affected by the incident and the Management about the procedure for handling the incident.

The receiver of the information about the incident must record it in the ticket system.

3.5. Treatment of Incidents that Endanger the Progress of Business

In the event of incidents that endanger the progress of business, an emergency management plan comes into effect.

The receiver of the information about the incident must record it in the ticket system.

3.6. Learning from Incidents

The CISO must review all incidents on a quarterly basis and propose appropriate preventive or corrective measures for those that recur (or those that could become significant incidents the next time they recur).

The CISO must analyze each incident recorded in the ticket system (identification of the type, origin and cost of an incident) and propose preventive or corrective measures if necessary.

The verification shall be ensured by a recurring ticket and documented in the annex.

3.7. Disciplinary Measures

The Management may initiate disciplinary processes for any violation of security rules.

3.8. Collection of Evidence

If there is a suspicion that an incident occurred due to criminal activities, evidence must be secured immediately. For this purpose, external partners such as Swiss FTS are called in who have the necessary expertise in handling evidence. The CISO is responsible for the coordination.

4. Appendix

This policy is tracked and approved by the CISO with ticket ISMS-180